Feeds

NSA coughs to 1000s of unlawful acts of snooping on US soil since 2008

Oversight judge admits: 'I've no idea what the true figure is'

High performance access to file storage

The NSA violated privacy laws thousands of times in the last five years by spying on US citizens, an internal audit by the super-snoopers has disclosed.

The Washington Post reports that the intelligence agency also overstepped its legal remit since Congress gave it broad powers in 2008.

Most of the violations involved unauthorised surveillance of Americans and foreigners in the US. Problems arose thanks to clumsy operator mistakes, insufficient or inaccurate research, failures to follow the correct procedures and even typos.

Meanwhile, system errors led to further problems, such as failures to recognise foreign phone users who roamed onto US soil but whose data was hoovered up anyway.

An NSA internal audit, leaked to the Washington Post by former NSA contractor turned whistleblower Edward Snowden, logs 2,776 incidents of "unauthorized collection, storage, access to or distribution of legally protected communications" in the year to May 2012.

Most were accidental mishaps where procedures were not followed correctly, but some involved violations of a court order - such as a February 2012 incident involving the unauthorised retention of 3,000 files that a surveillance court had ordered the NSA to destroy.

Violations include unauthorised access to intercepted communications and the use of automated systems without built-in safeguards to prevent unlawful surveillance.

NSA 'marking its own homework'

The audit only covers figures from the NSA's Maryland headquarters and Washington DC offices and not those from its regional collection centres.

In some cases, the NSA decided that it didn't need to report the unintended surveillance of US residents and citizens. One glaring example of unreported dragnet overreach occurred in 2008 when a programming error resulted in the interception of a large number of calls made in the Washington DC area: buggy software confused the US telephone area code 202 with intentional calls made to Egypt (country code +20).

In another case the Foreign Intelligence Surveillance Court was not told about a data collection programme run by the NSA until months after it was up and running. The court eventually ruled in October 2011 that hoovering up international communications passing through fibre-optic cables in the United States, was unconstitutional because Americans' emails and other net traffic was collected. The agency was ordered to drop the collection programme within 30 days unless it figured out a way to filter out US citizens' traffic.

Evading official scrutiny

Another leaked document instructs NSA analysts about how to explain their targeting decisions without giving "extraneous information" to overseers in the Department of Justice, Congress or the special court that scrutinises surveillance. NSA personnel are "instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence", the Post reports.

This relates to an internal NSA document [PDF] that offers rationales for targeting and provides examples of the kinds of people the NSA may spy on - and that's besides amassing 1.6 per cent of the world's net communications. The document makes for an interesting read.

Other training files explain that analysts do not need to report "incidental" collection of data from US citizens, green-card holders or companies to the NSA Inspector General because (in the opinion of the NSA) it is not deemed a violation of the rules.

Signals intelligence spooks are allowed to use anonymised sets of data routinely, and with supervisory permission they may unmask the identities of US persons in reports to the agency's clients, such as the CIA and US military, among others.

FISA judge: We can't investigate non-compliance

In response to the Post's revelations about its violation of privacy rules, the NSA said it attempts to identify problems "at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down".

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post in an interview.

The chief judge of the secret court tasked with overseeing the NSA's dragnet surveillance said his court's powers of scrutiny are limited because it is reliant on government reports of improper spying. There is no independent verification, the Post reports.

"The FISC is forced to rely upon the accuracy of the information that is provided to the Court," its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. "The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders."

The judge's frank admission pulls the rug out from under repeated assurances from President Obama and his officials that the secret intelligence court provides robust oversight of government surveillance. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.